Link Search Menu Expand Document

Build for AWS

Deployment

Service Provider can deploy new Appliance directly from Veeam Backup and Replication or from AWS Marketplace.

If Veeam Backup for AWS appliance is deployed from Veeam Backup and Replication, there is no need to make extra connection.
If appliance already exists in AWS, but not connected to Veeam Backup and Replication, it can be added from VBR UI.
There is no limitation on number of appliances deployed and connected.

Storage

See general recomendations for AWS Cloud storage here.
Service Provider may create backup copies from AWS S3 using Veeam Backup and Replication.

Note that Backup Copies can land on regular VBR repository.

Pros:

  • Storage agnostic
  • Backups can be sent to a Repository in another Cloud or region
  • Enables Immutability options for copied backups

Cons:

  • Requires another repository
  • Egress cost for backup copy
  • Immutability is available only for Hardened Linux Repository or within a SOBR with S3 attached Capacity Tier with Retention Lock. All Veeam-Ready vendors of S3 immutable storage are listed here

S3 bucket with Cloud backups can be attached as External repository to any Veeam Backup and Replication, e.g. for DR purposes.

Licensing

Licensing for Service Providers is Rental (pay as you go), consumed from the pool of Veeam Backup and Replication licenses.
Number of deployed Appliances doesn’t affect license consumption.

Veeam Service Provider Console within the standard feature set will transparently show Veeam Backup for AWS protected workloads. Pulse plugin will work for Cloud VMs.

Useful resources

See more details on deployment steps and sizing for Veeam Backup for AWS below:

  • Deployment steps for Veeam backup for AWS are fully described in deployment guide
  • Sizing of the Appliance is described in Best Practices for Public Cloud here
  • Sizing of workers is described in Best Practices for Public Cloud here
  • Repository sizing is described in Best Practices for Public Cloud here
  • IAM role permissions are described in the deployment guide here

Pod Architecture

POD Design is a good choice when requirement is to share full access to the Appliance. However, make sure you separate production subscription and backup account. So if one account is compromised, another will be safe.
All PODs connected in Veeam Backup Replication are visible with the protected data.

  • Deployment of new Appliance
    Since it’s dedicated infrastructure to a specific tenant, you may run it under tenant’s subscription.
  • Deployment of workers
    Workers that will process the data will be automatically provisioned and tenant may control amount of available resources for data processing per his subscription. Costs will also be covered by that account.
  • Storage account in the Cloud
    There is no limitation onn regions or amount of buckets you’d like to keep the data in. Storage costs will also be covered by that subscription.
  • Access to Appliance
    Appliance and its configuration is available via web UI or from Veeam Backup and Replication. Service Provider can share a dedicated URL for access to the appliance with his tenants. Access can be restricted with built-in RBAC when needed, MFA is supported.

Pod per tenant Design

Listed ports don’t include ports required for product updates. TCP 11005 is needed for REST automation from workstation. Check full ports requirements here


Shared Access Architecture

Shared Access design fits well when Service Provider builds services around his Cloud subscription to cover all management operations for data protection.

When Service Provider builds service under his subscription and operates all backup and restore operations, shared access design is the best. Cloud costs for backup processing and storage will be on him, which might be a part of the service.

  • Deployment of new Appliance
    Since it’s shared infrastructure with number of tenants, service provider can deploy one appliance without giving access for tenants otherwise they might see each other’s data. The data access control in AWS is managed via IAM roles and AWS SQS that will peer workers to EC2 instances and other workloads for processing.

  • Deployment of workers
    Workers that will process the data will be automatically provisioned under service provider subscription with shared access to client infrastructure. Workers can be deployed in tenant’s region to reduce costs and increase backup operations efficiency.

  • Storage account in the Cloud
    In this scenario S3 buckets are managed by Service Provider. It’s recommended to have at least a bucket per tenant. Storage costs will also be covered by Service Provider under his subscription.

  • Access to Appliance
    Appliance and its configuration is available via web UI or from Veeam Backup and Replication. In this scenario you won’t share access to appliance with the tenant, otherwise they will manage all data there, even with lowest restore operator role, because there is no split per data sets.

Shared Access Design

Listed ports don’t include ports required for product updates. TCP 11005 is needed for REST automation from workstation. Check full ports requirements here


Back to top

Copyright © 2019-2022 Solutions Architects, Veeam Software.